Managing the complexities of large, distributed networks is a daunting task, with hundreds, even thousands, of mixed-vendor bridges, switches, routers and gateways. Managing the security settings on these devices from a central console sounds wildly impractical -- the requirements are complex, and there are too many fast-moving parts. But, the demands of global business and regulatory compliance are forcing enterprises to consider management consoles that push granular policy updates to heterogeneous devices. There are several environments in which this functionality is critical:
- Multinational enterprises, which may want to segment their networks to comply with the regulatory requirements of the host nation.
- Manufacturing environments, in which headquarters may need an administrative connection to the plant but the company doesn't want anyone or anything touching the computers running the assembly line.
- HR and finance departments, which share a lot of sensitive information among themselves and little with other employees and customers.
- Business partner connections or newly acquired enterprises, where the "other end" of the network is unknown.
- Enterprises carving out logical networks for users, Web server farms, management backbones, etc., with specific risk thresholds and security requirements.
MORE INFORMATION ON NETWORK SECURITY:
- Join us for a
- live interactive webcast on Thurs., July 29 at noon ET with Christopher King on policy compliance for end-point devices. (Webcast will be available on-demand after July 29.)
- Learn more about network device compliance in this Security Tool Shed column.
- Attend Information Security Decisions Oct. 6-8 in Chicago and learn more about the latest developments in network and endpoint security.
Managing each set of devices based on particular needs is imperative, but how? Custom scripts can help, and most network vendors have some sort of console; but, for the most part, these devices are operated independently. Network security provisioning solutions provide centralized management of heterogeneous network devices -- routers, switches and even VPNs and firewalls. Aside from stronger configuration control, the solutions also offer SSO for network devices, central logging and, in most cases, network configuration management. Here are a few:
- Gold Wire Technology's Formulator manages ACLs and other configuration parameters and provides infrastructure integrity to network devices, popular firewalls and Linux and Solaris OSes.
- Voyence's VoyenceControl! is a Java application that provides lifecycle change management services. It features support for templates, rollback and workflow.
- Rendition Networks' TrueControl is a Windows 2000 application that manages many network devices, including wireless access points and VPN concentrators.
- Intelliden's R-Series software is a Java application that performs device modeling along with its core network configuration features.
- Solsoft's Policy Server models a network and provides "point-and-click" security design, automatically calculating the ACLs required to allow access from a source endpoint to a server. It pushes out these changes and keeps track of them.
Today's enterprises and their distributed environments are too complex and their requirements too diverse to manage efficiently, but manage them you must. Network security provisioning solutions offer an option that makes sense.
About the author
Pete Lindstrom, CISSP, is research director at Spire Security.
This was first published in July 2004